github.com/consensys/gnark-crypto@v0.14.0/ecc/bw6-756/bw6-756.go (about) 1 // Package bw6756 efficient elliptic curve, pairing and hash to curve implementation for bw6-756. 2 // 3 // bw6-756: A Brezing--Weng curve (2-chain with bls12-378) 4 // 5 // embedding degree k=6 6 // seed x₀=11045256207009841153 7 // 𝔽p: p=366325390957376286590726555727219947825377821289246188278797409783441745356050456327989347160777465284190855125642086860525706497928518803244008749360363712553766506755227344593404398783886857865261088226271336335268413437902849 8 // 𝔽r: r=605248206075306171733248481581800960739847691770924913753520744034740935903401304776283802348837311170974282940417 9 // (E/𝔽p): Y²=X³+1 10 // (Eₜ/𝔽p): Y² = X³+33 (M-type twist) 11 // r ∣ #E(Fp) and r ∣ #Eₜ(𝔽p) 12 // 13 // case t % r % x₀ = 3 14 // 15 // Extension fields tower: 16 // 17 // 𝔽p³[u] = 𝔽p/u³-33 18 // 𝔽p⁶[v] = 𝔽p³/v²-u 19 // 20 // optimal Ate loops: 21 // 22 // x₀+1, x₀²-x₀-1 23 // 24 // Security: estimated 126-bit level following [https://eprint.iacr.org/2019/885.pdf] 25 // (r is 378 bits and p⁶ is 4536 bits) 26 // 27 // # Warning 28 // 29 // This code has not been audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance. 30 package bw6756 31 32 import ( 33 "math/big" 34 35 "github.com/consensys/gnark-crypto/ecc" 36 "github.com/consensys/gnark-crypto/ecc/bw6-756/fp" 37 "github.com/consensys/gnark-crypto/ecc/bw6-756/fr" 38 ) 39 40 // ID BW6_756 ID 41 const ID = ecc.BW6_756 42 43 // aCurveCoeff is the a coefficients of the curve Y²=X³+ax+b 44 var aCurveCoeff fp.Element 45 var bCurveCoeff fp.Element 46 47 // bTwistCurveCoeff b coeff of the twist (defined over 𝔽p) curve 48 var bTwistCurveCoeff fp.Element 49 50 // generators of the r-torsion group, resp. in ker(pi-id), ker(Tr) 51 var g1Gen G1Jac 52 var g2Gen G2Jac 53 54 var g1GenAff G1Affine 55 var g2GenAff G2Affine 56 57 // point at infinity 58 var g1Infinity G1Jac 59 var g2Infinity G2Jac 60 61 // optimal Ate loop counters 62 var LoopCounter [191]int8 63 var LoopCounter1 [191]int8 64 65 // Parameters useful for the GLV scalar multiplication. The third roots define the 66 // endomorphisms ϕ₁ and ϕ₂ for <G1Affine> and <G2Affine>. lambda is such that <r, ϕ-λ> lies above 67 // <r> in the ring Z[ϕ]. More concretely it's the associated eigenvalue 68 // of ϕ₁ (resp ϕ₂) restricted to <G1Affine> (resp <G2Affine>) 69 // see https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/GLV.pdf 70 var thirdRootOneG1 fp.Element 71 var thirdRootOneG2 fp.Element 72 var lambdaGLV big.Int 73 74 // glvBasis stores R-linearly independent vectors (a,b), (c,d) 75 // in ker((u,v) → u+vλ[r]), and their determinant 76 var glvBasis ecc.Lattice 77 78 // generator of the curve 79 var xGen big.Int 80 81 func init() { 82 aCurveCoeff.SetUint64(0) 83 bCurveCoeff.SetOne() 84 bTwistCurveCoeff.MulByNonResidue(&bCurveCoeff) 85 86 // E(3,y) * cofactor 87 g1Gen.X.SetString("286035407532233812057489253822435660910062665263942803649298092690795938518721117964189338863504082781482751182899097859005716378386344565362972291164604792882058761734674709131229927253172681714645554597102571818586966737895501") 88 g1Gen.Y.SetString("250540671634276190125882738767359258920233951524378923555904955920886135268516617166458911260101792169356480449980342047600821278990712908224386045486820019065641642853528653616206514851361917670279865872746658429844440125628329") 89 g1Gen.Z.SetOne() 90 91 // E(1,y) * cofactor 92 g2Gen.X.SetString("270164867145533700243149075881223225204067215320977230235816769808318087164726583740674261721395147407122688542569094772405350936550575160051166652281373572919753182191250641388443572739372443497834910784618354592418817138212395") 93 g2Gen.Y.SetString("296695446824796322573519291690935001172593568823998954880196613542512471119971074118215403545906873458039024520146929054366200365532511334310660691775675887531695313103875249166779149013653038059140912965769351316868363001510735") 94 g2Gen.Z.SetOne() 95 96 g1GenAff.FromJacobian(&g1Gen) 97 g2GenAff.FromJacobian(&g2Gen) 98 99 // x₀+1 100 LoopCounter = [191]int8{0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, -1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} 101 102 // x₀³-x₀²-x₀ 103 T, _ := new(big.Int).SetString("1347495683935914696108087318582641220368021451587784278015", 10) 104 ecc.NafDecomposition(T, LoopCounter1[:]) 105 106 // (X,Y,Z) = (1,1,0) 107 g1Infinity.X.SetOne() 108 g1Infinity.Y.SetOne() 109 g2Infinity.X.SetOne() 110 g2Infinity.Y.SetOne() 111 112 thirdRootOneG2.SetString("99497571833115712246976573293861816254377473715694998268521440373748988342600853091641405554217584221455319677515385376103078837731420131015700054219263015095146628991433981753068027965212839748934246550470657") 113 thirdRootOneG1.Square(&thirdRootOneG2) 114 lambdaGLV.SetString("164391353554439166353793911729193406645071739502673898176639736370075683438438023898983435337729", 10) // (x⁵-3x⁴+3x³-x+1) 115 _r := fr.Modulus() 116 ecc.PrecomputeLattice(_r, &lambdaGLV, &glvBasis) 117 118 xGen.SetString("11045256207009841153", 10) 119 120 } 121 122 // Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr) 123 func Generators() (g1Jac G1Jac, g2Jac G2Jac, g1Aff G1Affine, g2Aff G2Affine) { 124 g1Aff = g1GenAff 125 g2Aff = g2GenAff 126 g1Jac = g1Gen 127 g2Jac = g2Gen 128 return 129 } 130 131 // CurveCoefficients returns the a, b coefficients of the curve equation. 132 func CurveCoefficients() (a, b fp.Element) { 133 return aCurveCoeff, bCurveCoeff 134 }